ToolShell Zero-day: Microsoft Rushes Emergency Patch for Actively Exploited SharePoint Vulnerabilities

Saeed Abbasi
Saeed Abbasi, Senior Manager, Product Management for Security Research - TRU, Qualys
- 6 min read

Table of Contents

On July 19, 2025, Microsoft issued an emergency out-of-band security update to address two zero-day vulnerabilities in Microsoft SharePoint Server: CVE-2025-53770 and CVE-2025-53771. These vulnerabilities are under active exploitation in the wild and demand immediate attention to protect your on-premises SharePoint environments.

CVE-2025-53770: Critical Remote Code Execution

The first of the two vulnerabilities, CVE-2025-53770, is a critical-severity vulnerability with a CVSS score of 9.8 out of 10. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code on a vulnerable SharePoint server. This is due to an insecure deserialization of untrusted data.

The attacks leveraging this vulnerability have been dubbed “ToolShell” and can lead to a complete compromise of the targeted server, including access to sensitive data and the ability to install malicious web shells for persistent access.

Attackers can exfiltrate sensitive data, such as ASP.NET machine keys, which could enable further attacks, such as forging authentication tokens or persistent access.

Major authorities in both the U.S. and the U.K. have sounded the alarm: CISA has placed CVE-2025-53770 on its KEV list, and NHS England’s CSOC issued High-Severity Alert CC-4683 for active exploitation against Microsoft SharePoint Servers.

Why it matters

  • A vulnerable SharePoint server becomes an immediate foothold for lateral movement and data theft.
  • This vulnerability is actively weaponized and exploited in the wild, with exploitation confirmed by Microsoft and multiple research teams. Attackers can trigger the flaw remotely without authentication, user interaction, or elevated privileges, enabling rapid, full-system compromise.
  • Exploitation in the wild activity means defenders have little to no lead time once a server is exposed.

CVE-2025-53771: Server Spoofing Vulnerability

Tracked as a medium-severity vulnerability with a CVSS score of 6.3, CVE-2025-53771 is a spoofing vulnerability. It arises from an improper limitation of a pathname to a restricted directory, also known as path traversal. While less critical than the RCE flaw, it plays a role in the overall attack chain, making its remediation crucial.

History of the Vulnerabilities

  • CVE-2025-53770 (RCE, CVSS 9.8): A direct variant of CVE-2025-49706, Microsoft attempted to fix this vulnerability in the July 2025 Patch Tuesday roll-up. The original mitigation proved incomplete, leaving a new deserialization pathway that adversaries now exploit for unauthenticated remote code execution.
  • CVE-2025-53771 (Spoofing, CVSS 6.3): A path-traversal–driven spoofing flaw that stems from improper restriction of file paths. Closely related to CVE-2025-49704 from the same July 2025 bulletin, it is less severe than the RCE issue but frequently chained with CVE-2025-53770 to facilitate lateral movement and persistence. Prompt remediation is, therefore, essential despite its medium rating.

Who is Affected?

These vulnerabilities impact on-premises installations of:

  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Server 2016

Microsoft SharePoint Online (part of Microsoft 365) is not affected by these vulnerabilities. SharePoint 2010 and 2013 may also be affected by these vulnerabilities, and the Qualys TRU team is in the process of validating this.

Qualys QID Coverage

Qualys has released the QIDs in the table below for the above-mentioned vulnerabilities.

CVEQIDTitleVersion
CVE-2025-53770/ CVE-2025-53771110501Microsoft SharePoint Server Multiple VulnerabilitiesVULNSIGS-2.6.376-4
CVE-2025-49706/ CVE-2025-49704110498Microsoft SharePoint Server Security Update for July 2025VULNSIGS-2.6.366-4

Eliminating Risk of these Vulnerabilities with the Qualys Enterprise TruRiskTM Platform

Identify At-Risk SharePoint Servers with Qualys CSAM 3.0

Start by mapping every SharePoint instance that could be hit. With CyberSecurity Asset Management (CSAM) 3.0 and its External Attack Surface Management module, quickly surface:

  • Internet-facing SharePoint servers running the vulnerable builds tied to CVE-2025-53770/CVE-2025-53771
  • On-premises or cloud hosts still on End-of-Life (EOL) or End-of-Support (EOS) SharePoint versions
  • Shadow or misconfigured instances that traditional inventories may have missed

Identify every asset running SharePoint Server Subscription Edition 2019 or 2016 that is vulnerable to CVE-2025-53770/CVE-2025-53771:

software:(name:"sharepoint" and marketVersion:[2016,2019]) or software:(name:"Microsoft SharePoint Server Subscription Edition")

Strengthen Your Security Posture with Qualys VMDR

Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and mitigate the associated risks. Additionally, Qualys customers can leverage Qualys Patch Management to remediate these vulnerabilities effectively.

Leverage the power of Qualys VMDR alongside TruRiskTM scoring and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.

Use this QQL statement:

vulnerabilities.vulnerability.cveIds: CVE-2025-53770 or CVE-2025-53771

Automatically Patch with Qualys Patch Management

We expect vendors to release patches for this vulnerability shortly. Qualys Patch Management can automatically or manually deploy those patches to vulnerable assets when they are available.

Customers can use the “patch now” button found to the right of the vulnerability to add these vulnerabilities to a patch job and start an emergency patch cycle. Once patches are released, Qualys will find the relevant patches for these vulnerabilities and can automatically add those patches to a patch job for deployment. This will allow customers to deploy those patches to vulnerable devices, all from the Qualys platform.

Leverage Qualys TruRiskTM Eliminate to Mitigate These Risks Until a Patch Can Be Deployed

To help organizations address these risks quickly, customers leveraging the Qualys agent can use TruRisk Eliminate, which is fully integrated with the VM module, to efficiently assign all of the IG QIDs to the team responsible for those Microsoft SharePoint Server servers. It allows the SharePoint team to test and deploy a mitigation to protect against exploitation of this vulnerability until the patch can be deployed, all directly from the Qualys console, leveraging the Qualys agent. There is nothing new to install.

The same researchers who researched and created the Microsoft SharePoint Server bypasses signature have proactively developed and thoroughly tested the mitigation script, ensuring organizations can rapidly and effectively neutralize this new threat.

If you are not subscribed to the TruRisk Eliminate module, you can visit this page to start a trial or ask your TAM to enable a trial for you.

Once the TruRisk Eliminate module is enabled, you can address this risk by visiting the VMDR and Vulnerabilities tab, and selecting all the vulnerabilities on the assets you would like to mitigate this vulnerability on, and using Actions-> View Risk Eliminate:

Use the Mitigate Now button or multi-select vulnerability and select Actions -> Create Mitigation Job to start a mitigation job that will apply the mitigation to your assets.

For an in-depth technical blog post, visit our Threat Protect post on these vulnerabilities.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *